Neo4j Log Injection Vulnerability Allowing Cross-Site Scripting

A log injection vulnerability has been identified in Neo4j Enterprise and Community editions prior to 2026.01. This issue arises from inadequate escaping of Unicode characters in the query log, which can lead to cross-site scripting (XSS) if the logs are opened in a tool that interprets them as HTML. Although there is no direct security impact on Neo4j products, this advisory recommends treating the logs as plain text when using versions prior to 2026.01.

Impact

Exploitation of this vulnerability allows for log injection, where an authenticated user can inject fake log entries into the query.log. This could be abused to insert XSS payloads, posing a risk for web-based log analysis applications, or ANSI escape characters, which could affect terminal-based log interactions.

Reproduction

The vulnerability can be reproduced by sending control characters in the metadata field of a Bolt transaction. This can be done using the Neo4j Python driver by injecting new lines and other control characters into the log. The injected queries will appear legitimate but will include malformed artifacts due to the injection. The fake log entries can be verified by checking the query.log, where they will be recorded as if they were real queries executed by the user.

Remediation

Users are advised to update to Neo4j versions 2026.01 or later, where this vulnerability has been addressed.